Techniques
Sample rules
Potential Suspicious Registry File Imported Via Reg.EXE
- source: sigma
- technicques:
- t1112
Description
Detects the import of ‘.reg’ files from suspicious paths using the ‘reg.exe’ utility
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains: ' import '
selection_img:
- Image|endswith: \reg.exe
- OriginalFileName: reg.exe
selection_paths:
CommandLine|contains:
- C:\Users\
- '%temp%'
- '%tmp%'
- '%appdata%'
- \AppData\Local\Temp\
- C:\Windows\Temp\
- C:\ProgramData\
Imports Registry Key From a File
- source: sigma
- technicques:
- t1112
Description
Detects the import of the specified file to the registry with regedit.exe.
Detection logic
condition: all of selection_* and not all of filter_*
filter_1:
CommandLine|contains|windash:
- ' -e '
- ' -a '
- ' -c '
filter_2:
CommandLine|re: :[^ \\]
selection_cli:
CommandLine|contains:
- ' /i '
- ' /s '
- .reg
selection_img:
- Image|endswith: \regedit.exe
- OriginalFileName: REGEDIT.EXE